Inconsistency with file names coming from Microsoft AV hashes is causing alerts to populate null results when firing off after a file has been quarantined.
Currently, we are matching the hashes based on a lookup that is generated by a saved search. We are having problems with our regex expression because the file names within the WinEvent Log message are not consistent. We are trying to extract the file name. Most of the time, our regex is successful in pulling out the file name for the field. However, there are times when the file name is not extracted properly due to the format of the log being different (returning values that append (GZIP) or other characters). The main problem is that we are seeing it showing the entire zip location and not just the actual file itself.
Any suggestions to this would be awesome. The query being used to look at these events and extraction, then outputting to a lookup is:
This report runs every 5 minutes and scans for new files and hashes.
index=wineventlog (sourcetype="WinEventLog:System" OR sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational") EventCode=1120 (SourceName="Microsoft Antimalware" OR SourceName="Microsoft-Windows-Windows Defender") earliest=-5m@m latest=@m
| rex field=Threatresourcepath "(?[^\\]$)"
| stats count BY file_name ComputerName Hashes
| fields - count
| inputlookup append=t .csv
| dedup ComputerName Hashes
| outputlookup .csv
Example of a log that has trouble with extraction:
02/20/2020 02:20:44 AM
Message=Windows Defender Antivirus has deduced the hashes for a threat resource.
Current Platform Version: 4.18.1911.3
Threat resource path: C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f019fa8->(GZip)
The filename extraction wants to pull the entire f019fa8->(GZip) as opposed to just f_019fa8. 😞
Knowing that the greater than (
>) symbol is illegal in Windows filenames, you could modify you regex thusly:
| rex field=Threat_resource_path "(?<fname>[\w\:\.\\\-\s]+)\>?"
Then you merely need to pull the final hyphen )
-), if there is one:
| eval fname=rtrim(fname,"-")
There's probably an even snazzier way to do this with just a regex - but this works
| rex field=Threat_resource_path "(?<file_name>[^\\]+)[-$]"
| makeresults | eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)" | rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"
There are various regular expressions.